Remove secrets from AWS secrets manager with PowerShell

Recently, I wrote a post on how to securely store secrets in AWS secrets manager. If you are already using the Secrets Manager, you might come across the following error:

You can’t create this secret because a secret with this name is already scheduled for deletion

Cause of error

The reason of this error is quite obvious. When you delete a secret from AWS secrets manager, it is not immediately deleted, by default. Instead, it is marked for deletion and gets deleted automatically after 30 days. When deleting a secret using AWS console, you can reduce the deletion time to minimum 7 days but there is no way to delete it permanently, immediately.

Now the problem is that, once you have a secret marked for deletion, you will not be able to create a new secret with the same name since it already exists in the secrets manager. A simple workaround is to use a slightly different name. But what if your organizational requirement forces you to use the exact same name?

How to fix

A simple fix of error is to use PowerShell to permanently remove the secret without marking it for deletion. To do that, launch a PowerShell console and make sure you have installed AWS PowerShell module and setup your AWS profile as discussed here.

• To view a secret value, use the Get-SECSecretValue command as shown below:

  Get-SECSecretValue -SecretId 'dev/SqlServer/TestApp' -Region ap-southeast-1

  Don’t forget to specify your own secret with -SecretId parameter.

• To permanently remove the secret, use the Remove-SECSecret command as shown below:

  Remove-SECSecret -SecretId 'dev/SqlServer/TestApp' -DeleteWithNoRecovery $true -Force
  

  

You can see in the above screenshot, when we ran the Get-SECSecretValue command first, it reported that the secret is marked for deletion. The Remove-SECSecret command with -DeleteWithNoRecovery parameter removed the secret permanently so you can now go ahead and create a new secret with the same name. That was it for this post.